All the deadlines of Law 21.719: key dates and when it takes effect.

"When does it take effect?" is the question that comes up most often — but it is not the only date that matters. Once the law is mandatory, the clock starts running every time a customer exercises a right or a breach occurs. This is the table with every deadline in one place. If you want the full picture, start with the definitive guide to Law 21.719.

All deadlines and key dates

Milestone	Date / Deadline
Publication of the law	December 13, 2024
Adjustment period	24 months
Entry into force / start of oversight	December 1, 2026
Response to ARSOP rights	Within the legal time limit (in business days)
Breach notification to the Agency	Without undue delay, by the most expedient means
Breach communication to affected individuals	When it involves sensitive data, data of children and adolescents, or economic/financial data
Data retention	For as long as necessary for the purpose; afterward, erasure
Fines	Minor 5,000 · serious 10,000 · most serious 20,000 UTM
Aggravation for recidivism	Up to 60,000 UTM, or 2%–4% of annual revenue in Chile

What happens on December 1, 2026?

It is the date on which the Personal Data Protection Agency can begin to audit and impose sanctions. The law was published in December 2024 and granted a 24-month adjustment period precisely so organizations would arrive prepared. That window is running out: in practice, adjustment projects take between 1 and 6 months depending on size, so the time to start is before the deadline, not on it.

Deadlines to respond to rights (ARSOP)

Once the law is in force, any person may exercise their rights of Access, Rectification, Erasure, Objection and Portability. The organization must respond within the legal time limit, counted in business days. The problem is usually not the deadline itself, but not having a channel or a procedure ready when the first request arrives. We walk through the full flow —identity verification, exceptions and templates— in how to respond to ARSOP rights requests.

Deadlines in the event of a security breach

In the face of an incident affecting personal data, notification to the Agency must be made without undue delay and by the most expedient means possible. The law does not set a fixed number of hours; the 72-hour figure is an international best-practice benchmark. In addition, you must communicate to the affected individuals when the breach involves sensitive data, data of children and adolescents, or economic and financial data. That is why it pays to have the procedure rehearsed before you need it.

Why it does not pay to wait

Several compliance actions —contracts with processors, consent management, security measures— depend on third parties and on implementation time. Reaching December 1, 2026 with a documented plan under way, even if not everything is closed, demonstrates proactive accountability and serves as a mitigating factor. If you want to organize the work by area, use the compliance checklist.

Frequently asked questions

When does Law 21.719 take effect?

It was published on December 13, 2024, and becomes fully mandatory on December 1, 2026, after a 24-month adjustment period. From that date the Personal Data Protection Agency may audit and impose sanctions.

How long is the adjustment period?

24 months, counted from publication (December 13, 2024) until oversight begins (December 1, 2026). It is the time to implement compliance.

What is the deadline to respond to ARSOP rights?

Within the legal time limit, counted in business days. That is why it is essential to have a defined channel and procedure in place before the requests arrive.

What is the deadline to notify a breach?

To the Agency, without undue delay and by the most expedient means possible. To affected individuals, when the breach involves sensitive data, data of children and adolescents, or economic and financial data.